| Bug #105435 | InnoDB: mem_heap_alloc(heap, 0) returns non-null pointer | ||
|---|---|---|---|
| Submitted: | 3 Nov 2021 3:23 | Modified: | 3 Nov 2021 4:58 |
| Reporter: | Shaohua Wang (OCA) | Email Updates: | |
| Status: | Verified | Impact on me: | |
| Category: | MySQL Server: InnoDB storage engine | Severity: | S3 (Non-critical) |
| Version: | 8.0 | OS: | Any |
| Assigned to: | CPU Architecture: | Any | |
| Tags: | Contribution | ||
[3 Nov 2021 3:25]
Shaohua Wang
check zero alloc functions
Attachment: mem_heap_alloc_zero_check.patch (application/octet-stream, text), 6.11 KiB.
[3 Nov 2021 3:26]
Shaohua Wang
the above file shows functions allocates 0 length memory(found by running innodb suite)
[3 Nov 2021 4:58]
MySQL Verification Team
Hello Shaohua, Thank you for the report and contribution. Please ensure to attach the patch via contribution tab otherwise we would not be able to use it. Thank you! regards, Umesh
[3 Nov 2021 7:47]
Shaohua Wang
Contributed patch (*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.
Contribution: mem_heap_alloc_zero.patch (application/octet-stream, text), 816 bytes.
[3 Nov 2021 8:15]
MySQL Verification Team
Thank you, Shaohua. regards, Umesh
[16 Nov 2021 7:07]
Shaohua Wang
Contributed patch (*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.
Contribution: mem_heap_alloc_zero_contribution.patch (application/octet-stream, text), 1.89 KiB.
[16 Nov 2021 8:19]
MySQL Verification Team
Thank you, Shaohua. regards, Umesh
Description: mem_heap_alloc allows to allocate 0 length memory, and returns a valid pointer. If the pointer is used out of the function, it's hard to find the invalid write and read by ASAN(it's usually inside heap itself), but it's has potential risk. /** Allocates n bytes of memory from a memory heap. @param[in] heap memory heap @param[in] n number of bytes; if the heap is allowed to grow into the buffer pool, this must be <= MEM_MAX_ALLOC_IN_BUF @return allocated storage, NULL if did not succeed (only possible for MEM_HEAP_BTR_SEARCH type heaps) */ static inline void *mem_heap_alloc(mem_heap_t *heap, ulint n) How to repeat: code investigation Suggested fix: return nullptr, soinvalid write or read will be found immediately. diff --git a/storage/innobase/include/mem0mem.ic b/storage/innobase/include/mem0mem.ic index f0ef82f3fda..a3a1bf47966 100644 --- a/storage/innobase/include/mem0mem.ic +++ b/storage/innobase/include/mem0mem.ic @@ -152,6 +152,10 @@ static inline void *mem_heap_alloc(mem_heap_t *heap, ulint n) { byte *buf; ulint free; + if (n == 0) { + return (nullptr); + } + ut_d(mem_block_validate(heap)); block = UT_LIST_GET_LAST(heap->base);